def test_modify_user_admin_assign(self):
""" Test that admins can raise other admins """
response = login_user(self.client, 'admin', 'admin')
validate_user_login(self, response)
data = {
'roles': {
'add': [{'role_id': 'admin'}]
}
}
with self.client.session_transaction() as session:
session['user_id'] = 'user'
session['_fresh'] = True
response = self.client.patch(
'/api/users/user',
data=json.dumps(data),
content_type='application/json'
)
self.assertEqual(response.status_code, 200)
user = User.query.get('user')
self.assertEqual(len(user.roles), 2)
self.assertEqual(user.roles[0].role_id, 'users')
self.assertEqual(user.roles[1].role_id, 'admin')
def test_modify_role_unauthorized(self):
""" Test role modification from unprivileged account """
response = login_user(self.client, 'user', 'user')
validate_user_login(self, response)
data = {'description': 'New Name'}
response = self.client.patch('/api/roles/users',
data=json.dumps(data),
content_type='application/json')
self.assertEqual(response.status_code, 401)
def test_create_role(self):
""" Test role creation """
response = login_user(self.client, 'admin', 'admin')
validate_user_login(self, response)
data = {
'role_id': 'backup',
'description': 'Backup Operators',
}
response = self.client.post('/api/roles',
data=json.dumps(data),
content_type='application/json')
self.assertEqual(response.status_code, 201)
def test_modify_user(self):
""" Test basic user PATCH """
response = login_user(self.client, 'user', 'user')
validate_user_login(self, response)
data = {'name': 'New User Name'}
response = self.client.patch(
'/api/users/user',
data=json.dumps(data),
content_type='application/json',
)
self.assertEqual(response.status_code, 200)
user = User.query.get('user')
self.assertEqual(user.name, 'New User Name')
def test_modify_user_wrong_user(self):
""" Test basic wrong user PATCH """
response = login_user(self.client, 'user', 'user')
validate_user_login(self, response)
data = {'name': 'New User'}
with self.client.session_transaction() as session:
session['user_id'] = 'user'
session['_fresh'] = True
response = self.client.patch(
'/api/users/alice',
data=json.dumps(data),
content_type='application/json'
)
self.assertEqual(response.status_code, 401)
def test_modify_user_no_privilege_escalation(self):
""" Test user can't make themself admin """
response = login_user(self.client, 'user', 'user')
validate_user_login(self, response)
data = {
'roles': {
'add': [{'role_id': 'admin'}]
}
}
response = self.client.patch(
'/api/users/user',
data=json.dumps(data),
content_type='application/json'
)
self.assertEqual(response.status_code, 401)
user = User.query.get('user')
self.assertEqual(len(user.roles), 1)
self.assertEqual(user.roles[0].role_id, 'users')